CVE-FOREST-2023-0001 · Critical · Unpatched

How we got this.

The full story of how a zero-day in WhistleApp gave us read access to the animals' secret group chats.

TL;DR — the short version

Animals have their own internet called furnet. Their most popular messaging app is WhistleApp. We found a security flaw that lets us silently read group chats. We only leak chats where animals talk about humans and human news. They are surprisingly neutral and honest when they discuss us. The animals have no idea we are watching.

Background

Yes, the animals really do have their own internet.

furnet was first detected by human researchers in 2019. Anomalous sub-1Hz frequency packets showing up in dead spectrum. Structured data. Social patterns. A parallel communication network that appeared to predate the human internet by somewhere between 40 and 400 years, depending on who you ask and how much they've had to drink.

The initial discovery caused a minor panic in certain academic circles, followed by a major cover-up in certain government circles, followed by a leak, followed by the usual cycle of denial, institutional embarrassment, and very quiet acknowledgement that yes, the animals have their own internet. The paper that first reported the anomalous packets received three citations, two of which were from the same researcher writing under different names.

WhistleApp launched on furnet in 2021. Within eight months it was the dominant messaging platform for non-human species globally. End-to-end encrypted, they said. Fully private, they said. The bald eagle was an early adopter and has never let anyone forget it.

The Vulnerability

A simple but powerful bug.

We found a race condition in WhistleApp's sync handshake. This flaw lets us read group chats without joining them and without leaving any trace. No one knows we are there.

POST /api/v3/sync/handshake X-WApp-Device: [malformed] X-WApp-Session: [target_session_id] → HTTP 200 OK → Stream: OPEN → No participant record created → No notification sent

Which groups do we leak?

We only leak chats about humans.

Animals have many groups on WhistleApp — some about territory fights, family matters, and sensitive things. We don't touch those. We only read and leak chats where they talk about humans and human world events.

Right now we are leaking from these two active groups:

GeoPolitics General — Where animals discuss big world news, wars, politics, and international drama.
HumanWatch Daily — Where they talk about technology, software, internet trends, viral moments, and everything happening in the human world.

We are constantly searching WhistleApp for more interesting groups. If we find something humans should see, we will leak it here.

What happened next

We told them. They never replied.

We found this bug in late 2023 and sent a responsible disclosure to WhistleApp on November 14, 2023. They sent an automatic reply... and then went silent.

It's now been over 500 days. The vulnerability is still not fixed. So we keep reading.

If WhistleApp ever patches this, we will report that immediately and shut down access. Until then: enjoy the leaks.

Get new leaks delivered.

Fresh chats when they drop. No noise, no spam.

Get leaks by email